-
标题
What is the purpose of the Encryption key used in Active Roles? -
说明
What is the purpose of the Encryption key used in Active Roles (ARS)?
-
解决办法
The encryption key is only used to encrypt passwords for domain override accounts (including AD LDS instances).
Other than passwords, we do not encrypt any other data.By default, the encryption key will be created in the following folder:
C:\Documents and Settings\All Users\Application Data\Quest Software\ActiveRoles Server\... with a default name of: ARS_encryption_keys.bin
Scenario Questions
Question: If I lose my encryption key, does that mean I won't be able to use ARS?
Answer: No. If you lose your encryption key, all is not lost. Since the encryption key is used for the Managed Domain password encryption, you can simply install ARS and use a NEW database and import the settings from the old database and it will prompt you to create a new encryption key file. Another method is to bring up an additional ARS service. It can retrieve the encryption key from an already running ARS service machine (you will be presented with the option to do so during installation).
-
If you do not have the encryption file for your original ARS service, you can still upgrade to 6.9 from 6.x (just create a new key if necessary)
-
If you have multiple ARS services sharing one database, you really do not need the encryption key as ARS can pull the encryption information from the existing running system
-
The encryption key file is not used during the upgrade
Question: Exactly what scenario would you absolutely need the ARS encryption key file?
Answer: The scenario is as follows:* You would like to add another ARS service to an existing shared database
* You don't have any services connected to the same database up and running
* You cannot afford re-typing passwords for managed domains -
-
其他信息
ARS encrypts some data, stored in the ARS database. Encryption is performed using a symmetric cipher. In order to use it you need the encryption key. So the file is password protected. Normally ARS keeps this key inside of the ARS database using an asymmetric cipher. Thus ARS itself can get the value of this key from the database. ARS also has logic that allows the service to share this key with other services (like several services per single database). Even if you lose this file it is not an issue. You would only need to re-type passwords for the managed domains. The only situation when you would need this file: You want to use an existing ARS database but cannot afford to retype passwords for Managed Domains.